Lib.rs

Command line utilities | Cryptography | Web programming
#scanner #security #quantum #pqc

app kybercheck

Quantum-vulnerable cryptography scanner for Post-Quantum Cryptography migration

Owned by Ganamedee.

5 stable releases

1.8.0 Feb 2, 2026
1.6.0 Jan 17, 2026
1.5.0 Jan 16, 2026
1.3.0 Jan 11, 2026
1.2.0 Jan 11, 2026

#2507 in Command line utilities

MIT license

490KB
10K SLoC

KyberCheck Scanner

A Rust-based CLI tool for scanning codebases for quantum-vulnerable cryptography.

Version: 1.2.0

Features

  • 🚀 Parallel scanning - Multi-threaded file processing for fast scans
  • 🌐 Remote repository scanning - Scan GitHub repos directly without cloning
  • 🔍 20 programming languages supported
  • 🎯 Language filtering - Scan only specific languages
  • 📊 Impact analysis - Database schema and API payload impact detection

Installation

From Source

cargo install --path .

From Crates.io (when published)

cargo install kybercheck

Usage

Basic Scan

kybercheck scan /path/to/project

Remote Repository Scan

Scan a GitHub repository directly without manually cloning:

# Using GitHub shorthand
kybercheck remote owner/repo

# Using full URL
kybercheck remote https://github.com/owner/repo.git

# Scan specific branch
kybercheck remote owner/repo --branch main

# Keep the cloned repo after scan
kybercheck remote owner/repo --keep

# Filter languages in remote scan
kybercheck remote owner/repo -l rust,python

Scan Only Specific Languages

# Scan only Rust and Python files
kybercheck scan --languages rust,python /path/to/project

# Short form
kybercheck scan -l php,ruby,javascript /path/to/project

Output to File

kybercheck scan /path/to/project --output results.json --format json

Submit to Dashboard

kybercheck submit results.json --api-key YOUR_API_KEY

Initialize Config

kybercheck init

Show Supported Patterns

kybercheck info

Command Reference

scan

Scan a local directory or file for quantum-vulnerable cryptography.

kybercheck scan [OPTIONS] [PATH]

Arguments:
  [PATH]  Path to scan (default: current directory)

Options:
  -o, --output <FILE>       Output file path
  -f, --format <FORMAT>     Output format (console, json) [default: console]
  -l, --languages <LANGS>   Only scan specific languages (comma-separated)
      --dependencies        Include dependency analysis [default: true]
      --db-impact           Analyze database impacts [default: true]
      --fail-on-vuln        Exit with error if vulnerabilities found
      --min-severity <SEV>  Minimum severity (low, medium, high, critical)
  -e, --exclude <PATTERN>   Exclude patterns (can be used multiple times)
  -v, --verbose             Enable verbose output

remote

Clone and scan a remote Git repository.

kybercheck remote [OPTIONS] <URL>

Arguments:
  <URL>  Git repository URL or GitHub shorthand (e.g., owner/repo)

Options:
  -b, --branch <BRANCH>     Branch to scan (default: default branch)
  -o, --output <FILE>       Output file path
  -l, --languages <LANGS>   Only scan specific languages (comma-separated)
      --fail-on-vuln        Exit with error if vulnerabilities found
      --min-severity <SEV>  Minimum severity (low, medium, high, critical)
  -e, --exclude <PATTERN>   Exclude patterns (can be used multiple times)
      --keep                Keep cloned repository after scan (prints path)

submit

Submit scan results to KyberCheck API.

kybercheck submit [OPTIONS] <RESULTS>

Arguments:
  <RESULTS>  Path to scan results JSON file

Options:
      --api-key <KEY>   API key (or set KYBERCHECK_API_KEY env var)
      --api-url <URL>   API endpoint [default: https://api.kybercheck.io]
      --repo-id <ID>    Repository identifier

init

Create a configuration file.

kybercheck init [OPTIONS]

Options:
  -f, --force  Overwrite existing config

Supported Languages

Language Filter Names Extensions
JavaScript javascript, js .js, .jsx, .mjs, .cjs
TypeScript typescript, ts .ts, .tsx, .mts, .cts
Python python, py .py, .pyw, .pyi
Go go .go
Java java .java
Kotlin kotlin .kt, .kts
Scala scala .scala, .sc
Groovy groovy .groovy, .gvy
Rust rust .rs
C c .c, .h
C++ cpp, c++ .cpp, .cc, .cxx, .hpp
C# csharp, c#, cs .cs, .csx
PHP php .php, .phtml
Ruby ruby, rb .rb, .rbw, .rake
Swift swift .swift
Objective-C objectivec, objc .m, .mm
Shell/Bash shell, sh, bash .sh, .bash, .zsh
Perl perl .pl, .pm
Lua lua .lua
Dart dart .dart

Configuration

Create .kybercheck.toml in your project root:

[scan]
analyze_dependencies = true
analyze_db_impact = true
min_severity = "low"

# Only scan specific languages (empty = scan all)
languages = ["rust", "python", "javascript"]

# Patterns to exclude from scanning
exclude = [
    "node_modules/**",
    "vendor/**",
    "target/**",
]

[api]
url = "https://api.kybercheck.io"

[repo]
id = "my-org/my-repo"

Default Exclusions

The scanner automatically ignores common build artifacts and dependencies:

  • Version Control: .git, .svn, .hg
  • Node.js: node_modules, dist, build, .next, minified JS
  • Python: __pycache__, venv, .venv, site-packages
  • Rust: target
  • Go/PHP: vendor
  • Java/JVM: .gradle, .m2, bin, out, .class, .jar
  • C#/.NET: obj, packages, .nuget
  • Ruby: bundle, .bundle
  • Swift/iOS: Pods, DerivedData
  • Dart/Flutter: .dart_tool, build
  • IDE: .idea, .vscode, .vs
  • Coverage: coverage, .nyc_output, htmlcov

Environment Variables

  • KYBERCHECK_API_KEY - API key for submissions
  • KYBERCHECK_API_URL - API endpoint URL
  • KYBERCHECK_REPO_ID - Repository identifier

Detected Vulnerabilities

Quantum-Vulnerable (Critical)

  • RSA (all key sizes)
  • ECDSA / ECDH
  • DSA
  • Diffie-Hellman

Weak Cryptography (High)

  • SHA-1
  • MD5
  • Weak random number generators

Deprecated (Medium)

  • 3DES
  • RC4
  • DES

Migration Impact Analysis

The scanner detects when vulnerabilities may cause:

  1. Database Schema Conflicts - PQC keys are larger and may not fit existing columns
  2. API Payload Bloat - Larger keys affect response sizes
  3. Architectural Refactoring - RSA must be replaced with KEM pattern
  4. Certificate Infrastructure - PKI changes required

NIST PQC Standards (Target Migration)

Algorithm Purpose
CRYSTALS-Kyber (ML-KEM) Key Encapsulation Mechanism
CRYSTALS-Dilithium (ML-DSA) Digital Signatures
SPHINCS+ Hash-based Signatures
FALCON Lattice-based Signatures

Examples

# Scan current directory
kybercheck scan

# Scan a specific project
kybercheck scan /path/to/project

# Scan only Python and JavaScript files
kybercheck scan -l python,javascript /path/to/project

# Output JSON results
kybercheck scan --output results.json --format json /path/to/project

# Fail CI if vulnerabilities found
kybercheck scan --fail-on-vuln --min-severity high /path/to/project

# Exclude test directories
kybercheck scan -e "**/*test*/**" -e "**/spec/**" /path/to/project

# Scan a GitHub repo directly
kybercheck remote microsoft/vscode -l typescript

# Scan a crypto library repo
kybercheck remote phpseclib/phpseclib -l php --output results.json

Performance

KyberCheck v1.2.0 uses parallel processing for fast scanning:

  • Multi-threaded file reading and analysis
  • Shallow cloning for remote repositories
  • Automatic CPU core detection for optimal thread count

Exit Codes

  • 0 - Success (no vulnerabilities, or vulnerabilities found but --fail-on-vuln not set)
  • 1 - Vulnerabilities found (when --fail-on-vuln is set)
  • 2 - Error during scanning

License

MIT License

Dependencies

~181MB
~4.5M SLoC